Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I do not have any forwarding turned on. Is this BIND trying to forward to some other dns server, or is there a machine on the network trying to go to this ip address. IF there is a machine doing it, how can I get the 'offending' machine's ip address?
Probably pair.com DNS server malarky. What happens if you add the "lame-servers" directive to your named.conf (restart named)?
how can I get the 'offending' machine's ip address?
You could run tcpdump on the DNS server. Say you serve requests on eth2 for clients from subnet 10.144.122.0/24: "tcpdump -w /var/log/tcpdump.pcap -i eth2 -n -nn -v src 10.144.122.0 and port 53". Note this turns on ethernet device promiscuous mode. Also note if you don't like to sniff as root use "-U". BTW, if you want to resolve addresses for localnet purposes and have a persistent cache of resolved addresses you don't need to run Named with all its dependencies: check out Pdnsd.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Perhaps pair.com is refusing to resolve queries for spam and/or spyware domains? It seems like your TCP (wtf am I smoking? dns doesn't use TCP for short queries) connection may have been rejected for that request, or pair might have patched their DNS servers to allow for specific queries to be refused.
Any way, it looks like a machine on your network is probably infested with spyware and it's trying to resolve "www.specialoffersnetworks.com". When your nameserver does the recursive lookup, the nameserver at PAIR is refusing it. ns3.pair.com is listed as the first nameserver in the whois record for specialoffersnetworks.com. That is 209.68.1.15. I'm getting a SERVFAIL even trying to lookup their SOA record. Iiiinnnnnnnteresting.
Wow... I appreciate all the responses. What I have done so far is add the query logging. I will try tcpdump afterwards if I do not get anywhere. I know it has to be some user on our network with some sort of adware on their machine. I am just looking for which one. We do have a couple of habitual offenders...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.